Reveton is a nasty and well known piece of Ransomware, typically hijacking the desktop with a locked screen and asking victims to pay up “or else”. The “or else” usually involves fictitious threats of law enforcement related justice being brought down upon their heads unless they pay up $200 via the scammer’s chosen payment method.

Today we saw a Reveton hijack which ditches the locked desktop in favour of something a little more old school – horror of horrors, a piece of Fake AV called Live Security Professional.

Click to Enlarge

This one begins with the Sweet Orange Exploit Kit. Here’s some example URLs, the URLs themselves are typically Java Class exploits:

din(dot)sanjosestategrad(dot)com/project/board(dot)php?connect=17

Reveton has certain characteristics, and this attack does indeed make use of them. As far as this particular example goes, we have the following information:

* The downloader is encrypted, and when downloaded creates a randomly named .dll which then runs the rogue. As a result, the URLs will not always be the same, and you can only obtain the binary when it is downloaded or extracted.

* It stores itself in familiar locations with a .dat extension, uses the well worn .lnk file to launch on boot.

Click to Enlarge

In other words, it behaves like Reveton except that it doesn’t lock the screen and uses a rogue instead which is an interesting shift in tactics, given that Ransomware is currently pulling out all the stops to hijack end-users and force them to pay up. We’ll update this post with more information as we get it.

Christopher Boyd (Thanks to Matthew for finding this and Patrick for additional information)

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.